I need to acces the /api/users endpoint on the API, but it doesn’t let me do that and returns Permission denied for the current user to search the Omeka\Api\Adapter\UserAdapter resource.
Eventhough I am a global admin. Is there a header i should send with this API call, and if so what is that headers name and what is the value I should put in to.
I have been working on this issue for quiet a while now… Is there something I am missing?
Hello,
first you need to go to Users > Edit (pencil icon next to your privileged user) > TAB (API Keys) and set a new API key (let’s say 123456 use a secure one obviously).
On save you will presented with
Then call your REST API using the above like this: https://<DOMAIN>/api/users/?key_identity=ZudzGSGxLTnv0KfvvzXQE6YNmRpEuCTW &key_credential=wUwPVS78K5NAFEprgIBGkEzBvtN281Hb
is there a way I can hide this key from my clients? Like when I want to call it and get a specific user how can I hide my key_identity and credential from the clients browser
You should never call the API from the client side (at least those endpoints demanding credentials). The above should be called ALWAYS server-side.
If you are using a client side app (e.g. react) you should implement a proxy service that will hide this from end users. What I do, using next.js is to create endpoints under/api/ and then call these points only after the user is logged in (so there’s an authenticated session) or following the latest version to get the results and do the SSR first
I won’t be using my Global Admin key on the client side for sure. This is just to retrieve the metadata for a user with a researcher role.
I tried to plug in the credentials using the same format but with the keys of my researcher accounts and it returned Omeka S encountered an error To learn how to see more detailed information about this error, see the Omeka S User Manual page on retrieving error messages.
i want it to return the metadata for that specific user when called.
The API doesn’t allow anonymous access to the user resources, and if you’re not passing credentials, you’re anonymous. The API only works with the passed keys to authenticate the user, regardless of if you’re logged in to the regular web interface.
A forthcoming version will add a different read-only “api-local” endpoint that does use the auth login cookie, to make it simpler to get privileged information via the API for a logged in user.
I am passing the key_identity and the key_credential for the researcher into /api/users?key_identity=xxx&key_credential=yyy, and I am still getting a list of all the users in my omeka instance.
Is there any way I can get the researchers metadata, like the name for instance, and not use that same key to get all the users my issue will be solved. This provides safety for everyone my omeka instance.